What is a "Token"? (Qortal vs. EVM on tokens)

What is a ‘token’ and what is an EVM ‘token’? The answer may surprise you! (It certainly did surprise me!)

Honestly, it was only fairly recently that I, Jason Crowe, founder of Qortal, realized that what I always called ‘nonsense tokens’, are way more nonsensical than I ever could have imagined! In this blog post, we’ll look into why that is the case. The ‘crypto space’ needs legitimacy very badly right now. And that futher amplifies that fact that it is time for Qortal to gain in popularity, which is way past overdue!

ERC-20 “Tokens” Are Contracts, Not Assets

That’s right, you heard me! In Ethereum (and in all ‘EVM’ clones):

• A token is NOT a “thing”, it’s just a contract that claims to track balances.

• There’s no native concept of an asset beyond ETH itself.

• If a dev screws up transfer() logic, or adds a backdoor in approve(), you get a malicious “token” that can:

  • Freeze funds. (Yup, literally!)

  • Change your balance.¹ (As in… all of a sudden the balance in your wallet is no longer what it was legitimately before!)

  • Drain your wallet with clever allowances.² (I thought this was a blockchain!?)

This is exactly why:

• Reentrancy attacks exist.

• You need formal audits before using a basic swap.

• Flash loan exploits can wipe entire protocols in a single atomic call.

It’s programmable finance, but with zero standard enforcement beyond conventions, and no native guarantee of anything.

Here are some research links I found, which corroborate my previous arguments about the riskiness of EVM tokens.

• Exploiting ‘approval’ (nonsense that shouldn’t be needed, but is because it isn’t a native asset). Attackers have repeatedly abused the ERC-20 approve() function to drain users' wallets, often long after initial interactions with malicious contracts.³

• A business logic flaw, as shown in the ETH token exploit. Attackers leveraged users’ lingering allowances to steal $450,000 in tokens, once again exposing the structural flaws of ERC-20’s approve() mechanism and the risks of non-native asset logic.⁴

• Token exploit that allowed infinite token mint. Certain ERC-20 tokens have been vulnerable to flawed smart contract logic that lets attackers mint an unlimited number of tokens, completely destabilizing the token’s value and security.⁵

• Security issues with the ERC-20 Standard, including multiple design flaws, such as the infamous approve() and transferFrom() race condition, which can lead to double-spending or unintended token transfers if not carefully mitigated in each implementation.⁶

There are MANY more examples like these… All of which can be wholly avoided, by not using fake tokens written into ‘contracts’ that pretend to be coins. (Who would have thought!?)

Qortal: Native Assets (‘tokens’), Native(ly) Trust(less)

With Qortal native assets, transactions are created the same way as QORT, signed by the account’s private key. If the account didn’t deliberately make the transaction, the balance isn’t changing!

Qortal’s design is sane:

• Assets are part of the protocol layer, not “applications pretending to be tokens”.

• You don’t need a smart contract to define or manage a token.

• You don’t need to trust any dev as it’s validated by consensus.

• Asset ownership and transfers are natively enforced by the core and not by arbitrary bytecode.

It’s like the difference between:

• An actual decentralized OS with built-in syscalls (Qortal)

• A BYO-OS environment where every app implements its own fake version of sys.exit() and malloc() (Ethereum)

See initial wiki post regarding Qortal Assets ((nicknamed ‘Q-Assets’): https://wiki.qortal.org/doku.php?id=q-assets

So… Why do people use EVM contract-NoTokens anyway?

Apparently there are reasons, such as:

• Composability: it’s easy to mix-and-match. But this has no basis IMO. ‘Mix and match’? What does that even mean and is that really worth legitimacy? Not in my mind.

• Flexibility: you can write any logic you want. Okay, but that leads to a MASSIVE number of scams. When you can just as easily create a Q-App that is actually decentralized, and leverage a native, real token on Qortal.

• VC-bait: endless room to “innovate”. Read: obfuscate, extract fees, and relaunch forks. Bingo! This, in my opinion, is the real reason. Fake ‘innovation’, which in reality is just newly created ICO scams to fill bags with FIAT debt notes. The exact thing that Bitcoin was built to replace. The ‘crypto space’ is seriously in a bad spot right now.

But at the end of the day, EVM tokens are just ‘contracts’ with a social contract.

Basically, they are nothing, and there isn’t even really any reason for them to be ‘on-chain’ other than hype, as they may as well be on a centralized server for all the ‘blockchain-like’ functionality they have, which is essentially none.

Qortal has the true alternative, that doesn’t fall victim to the same pitfalls found in other major blockchains. To further reinforce this, let's examine a couple more examples of such pitfalls. As such, one can safely say that:

• “Wrapped” ETH isn’t actually ETH. Neither is wrapped BTC, or wrapped anything else, and when the primary chain they are wrapped on potentially dies, then those assets die as well!

• EVM tokens aren’t tokens. They are simply code-based contracts with no immutability or any other native blockchain features. I always wondered why ‘audits’ were such a thing on EVM chains, and now I know!

• Infinite approval could drain your EVM wallet. Along with any number of coder errors, scams, or manipulative tactics in the EVM oh-so ‘Smart’ Contracts.

• That selfdestruct() or delegatecall() might nuke your funds from orbit. ‘Wow’ is all you can say here.

Qortal brings sanity, with native-level control, verifiable logic, and no shell game required. That’s the future that decentralized tech needs, and not just the illusion of it.

This is all coming from someone who doesn’t like the idea of ‘assets’ (tokens) in 99% of cases.

Look, I have many times said that I do not like the idea of ‘assets’ at all, at least, not in the way they are currently able to be created. I have also said that I would like to design a new method of asset issuance on Qortal that provides a much more solid foundation.

However, it was only recently that, upon a deeper dive into the EVM nonsense, I discovered that EVM ‘tokens’ are not even real, not even tokens, and able to be programmed to steal. This made me reconsider my overall stance on the subject; just a little.

It is clear that tokens aren’t going anywhere, and honestly, the vast majority of uses for them today are in the form of ‘company stock’. In reality, this is what the asset issuance system of Qortal was designed to allow.

As long as the assets issued in this fashion (by a single entity) are done so in a way that is honest, and doesn’t trick people into believing they are actually coins issued by consensus, or pretend to be such, then I suppose I don’t have an issue with them. In 99% of cases I would still likely not hold any, but if I did, and they were ‘company stock’ in a company I actually thought would go somewhere, then sure, why not.

Don’t treat tokens as coins (and sure as hell don’t treat EVM NoTokens as coins). People must realize they are stocks in the company that launched them.

Hence, to conclude, if tokens are going to exist, they should at least be real tokens, controlled the same way as QORT, by consensus. They should be only spendable by way of a signature, and shouldn’t be so complex that they require individualized audits on each one prior to being deemed ‘legit’. Get real tokens, get Qortal.

The differences between ERC-20 smart contract and real tokens on the Qortal blockchain are stark!

1. Balogun, A. L., Mahmud, M. S., Lee, Y. H., & Musa, S. S. (2024). Blockchain-based privacy protection for smart meters: A systematic review. Applied Sciences, 15(1), 450. https://www.mdpi.com/2076-3417/15/1/450

2. DroomDroom. (2023, September 13). ERC-20 allowance risks explained. DroomDroom. https://droomdroom.com/erc-20-allowance-risks-explained/

3. MyCrypto. (2019, December 27). Bad actors abusing ERC20 approval to steal your tokens. Medium. https://medium.com/mycrypto/bad-actors-abusing-erc20-approval-to-steal-your-tokens-c0407b7f7c7c

4. QuillAudits. (2023, June 30). vETH token $450k exploit analysis. QuillAudits. https://www.quillaudits.com/blog/hack-analysis/veth-token-450k-exploit-analysis

5. SDLC Corp. (2023, May 26). Security challenges in ERC-20 tokens: Identifying and addressing vulnerabilities. SDLC Corp. https://sdlccorp.com/post/security-challenges-in-erc-20-tokens-identifying-and-addressing-vulnerabilities/

6. Dexaran. (2017, October 17). Security problems of ERC-20 standard. Medium. https://dexaran820.medium.com/security-problems-of-erc-20-standard-cc2a1e300441